I Want to Believe, but: You Can’t Coast on What You Did for Anti-Spam Measures a Year Ago

Over the past week, we’ve noticed new patterns “in the wild” for emails sent by two of our clients that haven’t been seen before: anti-spam checkers fully loading pages with JavaScript. This puts a wrinkle in our previous post about using a combination of “Email is Delivered” and “Visited Web Page” as a filter combination to get more accurate clicks.

This first came to our attention when seeing companies such as eBay and Johns Hopkins showing up as having clicked several links in every email along with pages being visited across multiple records. As such, you’d see patterns such as six people from Johns Hopkins clicking eight links each and visiting every page. Because of this odd behavior, we took a look across several different Marketo instances to look for patterns.

Symantec Connect is one anti-spam provider that appears to have implemented this in the past few weeks. However, it is not always possible to determine from outside traffic what anti-spam measures are being used. When looking at the IP addresses of items that have clicked or visited web pages, though, one pattern stands out: Microsoft Azure, Microsoft’s cloud computing platform, is being used by one or more of these services to check web pages before sending information back to the anti-spam provider. Because real humans would not normally go through Azure, this is a reliable signal that the page is not being visited by a person and should be screened out of activity.

Additionally, when looking into this issue, DemandLab noticed a related trend for companies that host their email through Outlook.com: when an email is clicked and a page is visited, Microsoft Azure will also record a second email click and visit to its own IP.

In this case, the first two activities (46080180 and 46079137) are accurate activities logged to the record’s corporate office, but the next two are directly from Microsoft Azure. Similar behavior where Outlook.com specifically clicks and visits an email’s Unsubscribe Page has been recorded regardless of if the person themselves has clicked on Unsubscribe. However, it’s important to stress that Azure does not fill out any unsubscribe forms; it simply records a visit to the page.

One of the first steps to take is to ensure that any data being recorded on your website is coming from real traffic rather than a third-party server like Microsoft Azure. If you are using a piece of software such as Google Tag Manager or Tealium to manage where your Marketo tags are deployed, the single easiest thing to do is to simply block Munchkin from loading when a Microsoft Azure IP is detected. This can be done with either Google’s dataLayer or Tealium’s UDO. If you are administering your Munchkin tags more traditionally, you should take a look at using a service such as ipify to check your user’s IP before loading scripts.

Note: Do not block all of 40.*.*.*, as this also contains legitimate traffic from other companies and ISPs.

In addition to this step to block from the web server side, we recommend blocking from the Marketo side as well. Whenever you need to measure web page activity (whether for clicking on an email or any other purpose), we recommend using “Visited Web Page” and then adding the Client IP Address constraint with “Client IP Address does not start with:

As a secondary preventative measure, we also recommend setting up a wait step and listener in your measurement campaign whenever you are recording email link clicks to prevent false positives. Setting a wait step on a “Visited Web Page + Email is Delivered” trigger combination will allow any odd behavior to be caught and subsequently removed:

Wait 30 minutes

If “Member of Smart List” is “Clicked on this email four or more times in past hour”, remove from flow.

Change Program Status to Program -> Clicked Email

As we continue to monitor this not only for our clients but the larger Marketo community, we will provide updates.

1 Comment

Thanks for this insight. We are struggling to prevent fake clicks being registered. Our approach to add clicks within 15 seconds of a deliver to a bot click static list, works well, but Marketo executes the smart campaign at a low priority, so a record may not be added to the the static list for 20 minutes or more. We’re waiting 5 minutes already and really don’t want to wait 30 minutes to send an alert email to the sales owner, but we may need to do that.